[crypto] Parse OCSP responder URI from X.509 certificate

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2025-12-25 17:12:40 +03:00 · 2012-04-30 01:49:01 +01:00
parent f91995f193
commit 601cb3610f
4 changed files with 194 additions and 11 deletions
--- a/src/include/ipxe/asn1.h
+++ b/src/include/ipxe/asn1.h
@@ -53,6 +53,9 @@ struct asn1_cursor {
 /** ASN.1 set */
 #define ASN1_SET 0x31

+/** ASN.1 implicit tag */
+#define ASN1_IMPLICIT_TAG( number) ( 0x80 | (number) )
+
 /** ASN.1 explicit tag */
 #define ASN1_EXPLICIT_TAG( number) ( 0xa0 | (number) )

@@ -158,6 +161,20 @@ struct asn1_cursor {
 	ASN1_OID_TRIPLE ( 113549 ), ASN1_OID_SINGLE ( 1 ),	\
 	ASN1_OID_SINGLE ( 7 ), ASN1_OID_SINGLE ( 2 )

+/** ASN.1 OID for id-pe-authorityInfoAccess (1.3.6.1.5.5.7.1.1) */
+#define ASN1_OID_AUTHORITYINFOACCESS				\
+	ASN1_OID_INITIAL ( 1, 3 ), ASN1_OID_SINGLE ( 6 ),	\
+	ASN1_OID_SINGLE ( 1 ), ASN1_OID_SINGLE ( 5 ),		\
+	ASN1_OID_SINGLE ( 5 ), ASN1_OID_SINGLE ( 7 ),		\
+	ASN1_OID_SINGLE ( 1 ), ASN1_OID_SINGLE ( 1 )
+
+/** ASN.1 OID for id-ad-ocsp (1.3.6.1.5.5.7.48.1) */
+#define ASN1_OID_OCSP						\
+	ASN1_OID_INITIAL ( 1, 3 ), ASN1_OID_SINGLE ( 6 ),	\
+	ASN1_OID_SINGLE ( 1 ), ASN1_OID_SINGLE ( 5 ),		\
+	ASN1_OID_SINGLE ( 5 ), ASN1_OID_SINGLE ( 7 ),		\
+	ASN1_OID_SINGLE ( 48 ), ASN1_OID_SINGLE ( 1 )
+
 /** Define an ASN.1 cursor containing an OID */
 #define ASN1_OID_CURSOR( oid_value ) {				\
 		.data = oid_value,				\
--- a/src/include/ipxe/x509.h
+++ b/src/include/ipxe/x509.h
@@ -50,9 +50,9 @@ struct x509_validity {
 	struct x509_time not_after;
 };

-/** An X.509 name */
-struct x509_name {
-	/** Name (not NUL-terminated) */
+/** An X.509 string */
+struct x509_string {
+	/** String (not NUL-terminated) */
 	const void *data;
 	/** Length of name */
 	size_t len;
@@ -71,7 +71,7 @@ struct x509_subject {
 	/** Raw subject */
 	struct asn1_cursor raw;
 	/** Common name */
-	struct x509_name name;
+	struct x509_string name;
 	/** Public key information */
 	struct x509_public_key public_key;
 };
@@ -128,6 +128,18 @@ enum x509_extended_key_usage_bits {
 	X509_CODE_SIGNING = 0x0001,
 };

+/** X.509 certificate OCSP responder */
+struct x509_ocsp_responder {
+	/** URI */
+	struct x509_string uri;
+};
+
+/** X.509 certificate authority information access */
+struct x509_authority_info_access {
+	/** OCSP responder */
+	struct x509_ocsp_responder ocsp;
+};
+
 /** An X.509 certificate extensions set */
 struct x509_extensions {
 	/** Basic constraints */
@@ -136,6 +148,8 @@ struct x509_extensions {
 	struct x509_key_usage usage;
 	/** Extended key usage */
 	struct x509_extended_key_usage ext_usage;
+	/** Authority information access */
+	struct x509_authority_info_access auth_info;
 };

 /** An X.509 certificate */
@@ -188,6 +202,22 @@ struct x509_key_purpose {
 	unsigned int bits;
 };

+/** An X.509 access method */
+struct x509_access_method {
+	/** Name */
+	const char *name;
+	/** Object identifier */
+	struct asn1_cursor oid;
+	/** Parse access method
+	 *
+	 * @v cert		X.509 certificate
+	 * @v raw		ASN.1 cursor
+	 * @ret rc		Return status code
+	 */
+	int ( * parse ) ( struct x509_certificate *cert,
+			  const struct asn1_cursor *raw );
+};
+
 /** An X.509 root certificate store */
 struct x509_root {
 	/** Fingerprint digest algorithm */